James Arlen, sometimes known as Myrcurial, is a security consultant at Leviathan Security Group usually found in tall buildings wearing a suit, founder of the Think|Haus hackerspace, contributing analyst for Securosis, columnist at Liquidmatrix Security Digest, Infosec geek, hacker, social activist, author, speaker, and parent. He’s been at this security game for more than 19 years and loves blinky lights and shiny things.

The Message and The Messenger

You are a great person – a unique and special snowflake – you have many brilliant ideas. You are completely ineffective at getting those ideas out of your head and to an audience. If you need to stand up in front of a crowd of more than zero and persuasively deliver information – you need to be here. Whether delivering a status report or standing in front of an audience, there are ways to deliver information that will increase the chances that people will retain and act upon it. Join this fast-paced talk during which there will be some instruction, some ugly self-evaluation and path you can follow to get from Idea to Delivery. Stop presenting like crap and failing to get your point across.

Dave has over 15 years industry experience. He has extensive experience in IT operations and management. Currently, Dave is a Senior Security Advocate for Akamai. Dave is the founder of the popular security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast. Dave is also has a blog on CSO entitled « Brick of Enlightenment »

Prior to his current role, Dave worked in the finance, healthcare, entertainment, manufacturing and critical infrastructure verticals. He has worked for a defense contractor as a security consultant to clients such as the FBI, US Navy, Social Security Administration, US Postal Service and the US Department of Defense to name a few.

Blacke Cornell

Blake Cornell has been an IT innovator and developer with over a decade of experience within software and security. He has consulted Fortune 500 companies and various law enforcement agencies with hopes of enacting solutions to ease every day issues. His research has included the discovery and vendor resolution of several VoIP zero-day vulnerabilities and several application level fuzzers. One fuzzer in particular, sipArmyKnife is included within the Kali Linux penetration testing distribution. He is currently the Chief Technical Officer of Integris Security LLC

Olivier Bilodeau (Panel leads)LinkedInComing from the dusty Unix server room world, Olivier evolved professionally in networking, information security and open source software development to finally become malware researcher at ESET Canada. Speaking at Defcon, publishing in (In)secure Mag, teaching infosec to undergrads (ÉTS), driving the NorthSec Hacker Jeopardy and co-organizer of the MontréHack CTF training initiative are among its note-worthy successes. A true devil’s advocate at his heart, Olivier likes controversial opinions and creating good debates.

Robert Masse is an accomplished visionary, security strategist and business leader with twenty years of experience in security and information technology. Leveraging an energetic leadership style with effective execution skills, he has a strong ability to present complex security and business issues with clarity and credibility that allows him to secure management alignment to obtain company objectives.

An entrepreneur at heart, Robert has enjoyed contributing to the success of several start-ups over the last 15 years, with his most recent company earning him a semi-finalist position for the Ernst & Young Entrepreneur of the year award.

Over his career, Robert has been widely recognized for his ability to give proper executive guidance to mismanaged business initiatives that have spanned across the globe (with a strong focus in Asia).

Panel: Responsible Disclosure

Lets have a discussion about vulnerability disclosure. How should we disclose vulnerabilities? Fully, responsibly or sell them? Is a 7-day window like Google’s still responsible? Why hard rules about responsible disclosure don’t scale from Web applications to industrial systems or mobile phones regarding fixes deployment? How can researchers make money selling vulnerabilities? Should they or is it extortion? There is a lot to say on this topic including talking about: Google, Facebook’s bounty programs, the Zero-Day-Initiative, releasing Proof-of-Concept or not, certain industries’ legal constraints, etc. Join us for an interesting debate!

Questions for the panelists are published on a Google Moderator that we will use during the presentation: http://goo.gl/BiU3cH. Due to the breadth of the topic, we encourage you to ask and vote on questions that matters the most to you.

Robert Masse is an accomplished visionary, security strategist and business leader with twenty years of experience in security and information technology. Leveraging an energetic leadership style with effective execution skills, he has a strong ability to present complex security and business issues with clarity and credibility that allows him to secure management alignment to obtain company objectives.

An entrepreneur at heart, Robert has enjoyed contributing to the success of several start-ups over the last 15 years, with his most recent company earning him a semi-finalist position for the Ernst & Young Entrepreneur of the year award.

Over his career, Robert has been widely recognized for his ability to give proper executive guidance to mismanaged business initiatives that have spanned across the globe (with a strong focus in Asia).

Considered a mentor by many employees he has managed and worked with over the years, he provides leadership to his team by promoting and mobilizing professional accountability, coaching and team development.

DENIAL OF SERVICE AS A SERVICE – ASYMMETRICAL WARFARE AT ITS FINEST

Imagine being DDOS’d repeatedly with up to 10Gbps of traffic on a daily basis. Your logs are useless (when your systems are even able to collect data). How do you stop the attacks? Crippling Distributed Denial of Service “As a Service” or DDoSaaS ™ attacks can be done with $200 lifetime memberships against the largest organizations around – and almost impossible to stop. Asymmetrical warfare at its finest.

The presentation will focus on an investigation that was done in 2013 regarding a large DDOS attack against a regional ISP in Quebec, Canada. The DDOS attack affected tens of thousand of citizens including municipal 911 services (don’t ask) to chicken farmers.

We’ll talk about the investigative techniques (including social engineering) that were used to track down the suspect and the eventual arrest.

Yury Chemerkin started as a reverser and security developer and continued to gain experience on malware and mobile security. In the last four years he has been researching Mobile and Cloud solutions (and IAM solutions in general) for exploitation based on misunderstood security principles or developing as a distributed spyware infrastructure. Now he is a broad security researcher and takes part in developing live monitoring and forensics solutions. Also, he regularly contributes with Groteck Business Media, Hakin9 and PenTest magazines as a non-staff writer.

Questionable value of MDM from the BYOD’s viewpoint

Mobile device collects an amount of sensitive data should be protected and controlled. Each OS provides extensive APIs that are controlled by a permission system as part of OS. This proposal examines a security model of mobile platforms, their features capabilities to face attacks as native security features enhanced by MDM to bring certain level of trust and transparency. Also, it covers a mobile security in order to compliance standards and guidelines with analysis of gaps that makes an audit checks easy passed with weak metrics. That’s a way to taking away from vendor-lock impact, combining different visions on security, analysis of requirements for missing but useful contermeasures on security.

p.s. Some practical cases are aimed to show a real difference between device & MDM security features and possible attacks as well as how far it is in alignment to compliance

Blake Cornell has been an IT innovator and developer with over a decade of experience within software and security. He has consulted Fortune 500 companies and various law enforcement agencies with hopes of enacting solutions to ease every day issues. His research has included the discovery and vendor resolution of several VoIP zero-day vulnerabilities and several application level fuzzers. One fuzzer in particular, sipArmyKnife is included within the Kali Linux penetration testing distribution. He is currently the Chief Technical Officer of Integris Security LLC

Mr. Cornell had also presented a topic at an FBI cyber security conference detailing the threats of domestic terrorist cell’s using Unmanned Aerial Improvised Explosive Devices (UAIED) within the US mainland. Thirteen months later Rezwan Ferdaus was arrested, charged and eventually sentenced to a 17 year prison sentence for attempting to execute what Mr. Cornell had outlined during his presentation. Cornell also has created the technology behind Clerk 123 LLC. These technologies included remotely controlled full disk encryption appliance platform, intrusion detection and prevention, three-factor authentication solutions, OSINT Acitve Denial System (internal use blacklist) and more. In 2003, Mr. Cornell designed, wrote and implemented a semi-passive network tracking technology which revealed the identify of the IT administrator hosting a majority Islamic Terrorism websites at that time.

Fuzzing in the 5th Dimension: Why the NSA should have every vulnerability by now

Quantum computers, at present, are at their infancy. They are computational machines that can simultaneously compute the same function with different values within a dataset. This holds many
implications. Specifically, for me, quantum computers mean a single thing, entropy, and a whole lot of it! Loops begin to look like functions and classical software can become 100% bug free. “[R]esearchers have developed an algorithm that allows [them] to tell whether a piece of software code is bug-free — something that, they note, is impossible with classical computers”. For software to be bug free the software would also have to be vulnerability free. That is unless your intention is to exploit software bugs and never fix them.

High budgeted intelligence organizations, such as the NSA, will not help fix vulnerabilities, only find as many as possible. The intention is to use these vulnerabilities for offensive operations and fixing them it counter-intuitive to that goal. I will make the case for the top echelon of security researchers and organizations to be able to utilize a technique I’m calling: “Quantum Viewed Source Code Unit Testing” or Fuzzing in the 5th dimension.

We’ll overview quantum computers role in the end of traditional vulnerabilities, the future of new ones, quantum’s implication on classical cryptographic algorithms, what cryptography may resemble in the future and why access to a “quantum computing time-share” would benefit security researchers.

Georgia Weidman is an experienced penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as holding Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), NIST 4011, and Offensive Security Certified Professional (OSCP) certifications. Her groundbreaking work in the field of smartphone exploitation has been featured in print and on television including MIT Technology Review, Ars Technica, PC World, Fox News and Global TV Canada. She has presented her research at conferences around the world including Shmoocon, Blackhat, Security Zone, and Bsides. Georgia has delivered highly technical security training at conferences, hacker spaces, and schools to excellent reviews. Building on her experience working in both the public and private sectors, Georgia founded Bulb Security LLC (http://www.bulbsecurity.com), a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to build the Smartphone Pentest Framework(SPF).

Bypassing Security Controls with Mobile Devices

« We’ve got Mobile Device Management, BYOD is not a risk for us! » « Our proxy filters all outbound traffic, no one is getting a shell out ever! » Companies are putting a lot of faith in these security mechanisms to stop the threats of mobile devices. In this talk we put those big claims to the test and look at ways to bypass security restrictions on and using mobile devices. For example, we will see if that MDM that claims it can detect rooting/jailbreaking has ever heard of polymorphic code. And that proxy that stops all outbound traffic unless its in the Internet Explorer process authenticated against the domain? Why not just send your shell back to an exploited mobile device in the environment and have it pass the shell out via SMS? Code examples of all the techniques used will be demoed live and released as additions to the author’s Smartphone Pentest Framework.

Robert Portvliet is a senior consultant and the network security service line lead for Foundstone. He is also the primary instructor and course steward for Foundstone’s Ultimate Hacking: Wireless and Ultimate Hacking: Expert classes. Robert has presented wireless hacking classes at Blackhat USA 2011, 2012 and 2013, as well as at NYU Poly. He has also given talks on wireless research at Defcon 20 and Phreaknic 16. Robert lives with his wife and a menagerie of cats in New Jersey, and enjoys mountain biking, motorcycling and music in his spare time.

Introduction to Near Field Communications (NFC)

NFC (Near Field Communication) is a set of standards for close proximity communications between two devices or a device and a tag over 13.56MHz, which is quickly gaining in popularity on mobile devices. This one hour talk will begin with the basics of NFC, then cover the protocols and standards involved (LLCP, SNEP, NPP, NDEF, etc.), various modes of operations, and tag types. We will discuss the best hardware to use in order to interact with NFC capable devices and tags, then move on to vulnerabilities discovered in NFC, and NFC capable devices, as well as attacks which have been implemented against those vulnerabilities.

At a young age Jeremiah was being recruited by leading technology companies in the US such as ISS and NASA JPL. He excelled at NASA’s Jet Propulsion Lab (JPL) in building a Tiger Team and successfully performing intrusion and vulnerability assessments. The respected author of numerous articles, books and white papers, Jeremiah is currently an acting Professor at Sheridan Institute of Technology and Advanced Learning where his focus is advanced intrusion prevention systems, malicious code design & defence and ethical hacking. His career has been highlighted throughout the years as an Information Security Consultant, currently residing at Access2Networks, a Toronto based business specializing in IT security.

Their principal consultant, Jeremiah is responsible for providing leadership and focus within the Penetration testing, assessment and incident response teams. Jeremiah lives in the Greater Toronto Area with his three wonderful children and their dog “Teensy”.

Warranty voiding techniques

« Hardware Hacking » is a phrase referring to the modification, cannibalization or combination of new and/or old technologies to create something different, in order to solve a problem, make something more affordable/awesome, testing out an idea, experimentation/education or just because you can.

We all live in a cut and paste world, we have the ability to rearrange our digital lives with just a few clicks of the mouse. Wouldn’t it be cool if electronics could be the same way, after all who does not want a hacked keyboard that can bypass hardware key-loggers or turning the old « used to be junk » baby monitor into a covert eaves dropping device. How about using a Raspberry PI and a Paint Ball gun for an automated turret system with facial recognition or just simply modding your XBOX or other gaming console… With the proper knowledge and tools, and an eagerness to learn. The possibilities are endless.

Sherif is the founder of Software Secured – an application security firm. He has 14 years experience in the software development industry with the last 6 years solely focused on application security testing, security assessments and teaching developers how to write secure code. Sherif’s main target is helping organizations assess their high-risk software applications using a source-code driven security methodology. He started his security career by working on the infamous OWASP security teaching tool WebGoat 5.0, he then helped SANS launch their GSSP-JAVA and GSSP-NET programs as well writing the blueprints of Dev-544 and Dev-541 courses. In addition to that, he authored courseware for SANS SEC-540: VOIP Security. In addition to leading OWASP Ottawa Chapter, Sherif is leading the Static Analysis Code Evaluation Criteria for WASC. Sherif, also, performed security code reviews for 3 of the 5 largest banks in the United States. Before starting Software Secured, Sherif worked on architecting, designing, implementing and leading large-scale software projects for Fortune 500 companies including United Technologies and other leading organizations including Nortel Networks, March Healthcare, Carrier, Otis Elevators and NEC Unified Communications.

Sometimes Your Code Needs an Open Heart Review

If you performed proper Threat Modeling, security design reviews, security architecture and performed proper security testing, you might not need to worry about Security Code Reviews. But if your organization leaves security last then you need to take drastic measures to put security back into your application. Security Code Review is the best approach to uncover the largest number of security flaws, and the only approach to find certain types of vulnerabilities. During this session, you will learn how to perform security code reviews using open-source tools, and an effective process to follow in order to catch as many flaws as possible. Be prepared to look at a lot of code and exercise those code review skills.